Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Wednesday, May 25, 2011

HP JetDirect hacking


Changing the LCD display text using HPhack, IGhphack or Hijetter
         This is an old hack (1997) and does not accomplish much, but it is fun! Silicosis of L0pht ( wrote the original exploit code for *nix  systems and someone else ported it to NT/2000/XP based systems. Although it's been out there for a long time, it still works on every HP printer/JetDirect box I have seen. What the HP display hack allows you to do is set the text that displays on the little LCD panel of an HP printer. It accomplishes this over the network by sending packets to a JetDirect box hooked to the printer (or built into it).
        The first thing you need to do is find out the IP or hostname of the JetDirect box that services the printer. You can do this in one of at least three ways. The first way is by hitting the little test button on the JetDirect box that's connected to the printer. If the JetDirect card is built in you may have to go through the menus and choose "Print Configuration". Another way is to go into your "Printers and Faxs" settings, right click and bring up the properties of the printer in question, and look under the Ports tab for the hostname (npi******). Once you have this information it's easy to run Silicosis ' little hack.
        To run it from Windows just use the following syntax: hpnt Hostname Message
Windows Example:
C:\>hpnt npi769e71 "Irongeek"
HP Display hack --
Hostname: npi769e71
Message: Irongeek
Sent 54 bytes

C:\>hpnt "Irongeek Also"
HP Display hack --
Message: Irongeek Also
Sent 59 bytes

        If you want to run it from Linux download the source code at the bottom of this section and compile it using gcc. The syntax is the same as the Windows version. Below is an example of how to compile and run it:
[root@balrog root]# gcc -o hphack hp.c
hp.c:28:12: warning: multi-line string literals are deprecated
[root@balrog root]# ./hphack  "Irongeek"
HP Display hack --
Message: Irongeek
Sent 54 bytes

[root@balrog root]#
        A few ideas for messages: "Hey Baby", "X was Here", "I see You", "Redrum", "Kill". Enjoy. If you like you can download Silicosis hack from one of these links:
        I'm working on my own GUI version with extra features; its web page can be found here:
        Unfortunately it's pretty buggy.
        The easiest tool to use may be Hijetter by FtR of Phenoelit, which is covered in the next section.

Phenoelit's Hijetter and PFT 
        Hijetter seems to be the Swiss army knife of HP JetDirect hacking. It can control a JetDirect box with PJL commands, and works even if a password is set (at least on my HP JetDirect 300X).You can download the binary and the source code for this app from:
        Below is a screen show of Hijetter 's interface.  To use Hijetter just type in the IP or host name of your JetDirect box and click the connect icon.
        You should notice that a few of the icons at the bottom of the interface light up.
        You can only use the icons that are lit up. The first icon, from left to right, lets you control the file system on the JetDirect (if it has one), the next icon lets you make changes to the settings and the last icon lets you set the text that displace on the LCD screen. I'll cover these tasks in reverse order since I'm contrary like that.
Setting the LCD Display with Hijetter
1. After you have connected to the JetDirect box click the LCD Display icon.
2. Type in the message you want the printers LCD to display.
3. If you check the "Failure" radio button the printer will stop printing until someone hits the ok/continue/online button on the printer, or it's reset.
4. Click the confirm button and your message should now appear on the printers LCD.

Changing settings with Hijetter
1. After you have connected to the JetDirect box click the settings icon.
2. Find the environmental variable you want to change and type in the value you want to set it to, keeping in mind the limitations listed in the "Info" panel.
3. Use the assign button to set your change. An M should appear next to the variable you changed. 
4. Click the confirm button and you're done.
Using Hijetter to treat some JetDirect boxes as files/web servers
1. After you have connected to the JetDirect box click the File System icon.
2. Use the arrows to transfer files to and from your client to the JetDirect box. Keep in mind that you can only transfer one file at a time with Hijetter.
3. The New Folder and Delete icons can be used for their obvious functions.
4. Click the confirm button and you're done.
Finding stored faxes and print jobs on Jetdirect printers
        Look around the file system and download any files that looks interesting. Most of them don't have obvious file extensions so open them up in a text editor and look at the headers to try and figure out what they are. Here are a few of the things I've found by searching around this way:
Location What I've found
/saveDevice/DigitalSend/jobs Jpegs with names like DS000848.005 that seem to be either print jobs or Faxes .
/FaxOut Tif files from sent Faxes
/FaxIn PCL files from received Faxes. See my NetCat and FTP tricks later for more information on how to print them.
/Fax/act.log Seems to be a log of phone numbers where things have be faxed to or from. Could be useful for social engineering.
         Also notice that the Hewlett-Packard LaserJet 4100 MFP we connected to has a 20Gig hard drive, which makes for a great place to hide and serve large files. I've noticed on the MFP a file can be uploaded to:
and can be accessed from the printers web interface at:

        For example, if you used Hijetter to upload "naughtylinuxgirls.avi" to "/webserver/home/" it can be accessed from the web with the URL:
        Feel free to put your homepage on a printer. :)
        If you're a *nix or Window command line boy, don't despair. The same folks from Phenoelit have provided PFT, a command line utility that can do many of the same things as Hijetter. It can be downloaded and installed with these commands:
mkdir pjllib
cd pjllib
tar -xzf libPJL-1.3-src.tgz
cd pft/

        Here is an example of what it looks like on the command line after you bring up the help page; look at all of the options:
Irongeek:/home/adrian/pjllib/pft# ./pft
PFT - PJL file transfer
FX of Phenoelit
Version 0.7 ($Revision: 1.8 $)

server [hostname]
port [port number]
env {read|print|show|set|options|changed|commit|unprotect|bruteforce}
message "Display Msg"
failure "Failure Msg"
chvol [vol:]
cd [directory]
mkdir [directory]
rm [file]
get [file]
put [local file]
append [local file] [file]
lcd [directory]
timeout [timeout]
PFT also has some limited scripting ability by piping in commands from a text file as this example shows:
Irongeek:/home/adrian/pjllib/pft# cat mypftscript.txt

Irongeek:/home/adrian/pjllib/pft# ./pft
PFT - PJL file transfer
FX of Phenoelit
Version 0.7 ($Revision: 1.8 $)

pft> Server set to
pft> Connected to
Device: HP LaserJet 4100 MFP
pft> 0:\
. - d
.. - d
PermStore - d
PostScript - d
PJL - d
saveDevice - d
cpbLog 5227 -
Fax - d
solution - d
webServer - d
FaxOut - d
FaxIn - d

        Since Phenoelit  provides the source code it could be an interesting project to write new automated tools for extracting information from remote JetDirect boxes.

No comments: